8.7. Estimating Damages


So how exactly does a victim calculate losses? Even though computer crime cases go back decades, there was little firm guidance from state or federal legislatures in the United States on how to calculate damages from computer security incidents, let alone a definition of what "losses" were in these cases. This led to a great deal of confusion, and situations in which widespread intrusions involving dozens of sites were not investigated, because no single victim was willing or able to show a loss that exceeded the $5,000 limit necessary to trigger federal statutes, such as the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. §1030).

Under the original CFAA, it was unclear whether damages could be aggregated. This meant that DDoS attacks that involved hundreds or thousands of sites that were hosting a handful of agents each, if they even calculated damages at all, would suffer "losses" only in the low thousands of dollars. Since each site would be looked at in isolation, conceivably none would meet the $5,000 limit, so pursuing prosecution would not be justified. If the victim was simply a public IRC server that did not have any paying customers, their losses could similarly be less than the $5,000 limit. There would be no case, even if in reality that one individual attacker had caused aggregate damages for a series of attacks that ran into the tens of thousands of dollars.

In some cases where there were multiple charges, for example, when a sniffer was used to capture user passwords as they were transmitted over the network, prosecutors would use the federal wiretap statute or "trafficking in access devices" (that is, the passwords) as the basis on which to prosecute. In other cases in which the suspect possessed credit card numbers, statutes involving trafficking of credit card numbers would be used. None of these statutes required proving a minimum amount of monetary damages (or any monetary damages at all).

A court decision in 2000, however, in the case United States v. Middleton did set a precedent in calculating damages. Nicholas Middleton worked as a system programmer for an ISP named Slip.net. He had intimate knowledge of how the system worked. He became dissatisfied with his job at Slip.net, and he quit. After quitting, he continued to use an account that Slip.net had given him, and used special computer programs to elevate privileges and delete accounts and files. His former employer tracked this activity to his account, and reported it to authorities. Middleton was arrested for causing damage to a "protected computer" without authorization, in violation of 18 U.S.C. §1030(a)(5)(A) and was later convicted [mid].

In the instructions to the jury on calculating damages, the court in Middleton stated:

The term "loss" means any monetary loss that Slip.net sustained as a result of any damage to Slip.net's computer data, program, system or information that you find occurred.

And in considering whether the damage caused a loss less than or greater than $5,000, you may consider any loss that you find was a natural and foreseeable result of any damage that you find occurred.

In determining the amount of losses, you may consider what measures were reasonably necessary to restore the data, program, system, or information that you find was damaged or what measures were reasonably necessary to re-secure the data, program, system, or information from further damage.

Middleton appealed, but a higher court held that the calculation of damages was valid and that the "losses" suffered by the victims of computer crimes could reasonably include a wide range of harms, including the costs of:

  1. Responding to the attack

  2. Conducting a damage assessment

  3. Restoring the system and data to their condition prior to the attack

  4. Any lost revenue or costs incurred due to the interruption of services

The USA Patriot Act of 2001 [oJa] amended 18 U.S.C. §1030(e)(11) to codify the decision of the courts in Middleton. Under these changes, the government is now able to aggregate "loss resulting from a related course of conduct affecting one or more other protected computers"[3] over a period of one year.

[3] The term protected computer is defined in 18 U.S.C. §1030(a)(5)(B)(i).

This also allows for including both attack phases of a DDoS attack, such that any subset of damages from the many sites involved can be aggregated, more easily getting above the $5,000 jurisdictional threshold. Of course, this does not mean that the FBI will investigate every case that involves damages over $5,000, but it does make it easier to meet the minimum required limit of damages.

8.7.1. A Cost-Estimation Model

A model that is helpful for calculating such damages was developed as part of a study by a group of Big 10 (plus 1) universities. Called the "Incident Cost Analysis and Modeling Project" (or ICAMP) [oIC], the group used the following type of analysis.

  • Persons affected by the incident were identified and the amount of time spent/lost due to the incident was logged.

  • Staff/faculty/student employee time cost was calculated by dividing the individual's wage rate by 52 weeks and 40 hours per week to come up with an hourly rate. The wage rate is then multiplied by the logged hours, and varied by + / - 15%.

  • A benefit rate of 28% is added (an average of the institutions in the study) to come up with a dollar loss per individual.

  • The total of all individuals' time, plus incidental expenses (e.g., hardware stolen/ damaged, phone calls to other sites), is then calculated using a simple spreadsheet approach.

This model is described in more detail in a FAQ (frequently asked question) file that was authored by David Dittrich [Dite], which includes references to an Excel spreadsheet that can be used as an example in calculating damages from an incident. The model is elaborated on in an article in SecurityFocus Online entitled, "Developing an Effective Incident Cost Analysis Mechanism" [Ditc].

Figure 8.1 shows an example of the incident costs associated with a break-in to a single computer. It includes only the response costs incurred by an incident investigator and the administrator of the system. Both of their salaries, when broken down to an hourly rate, are $33.65. You simply multiply these salaries by the number of hours spent, then include benefits and overhead costs. (In this example, there are no indirect costs.) Totaling up these costs, and including an error factor of + / - 15%, shows that the cost of cleanup for this single host is $1,695 + / - $254. The hardest part of this process is simply getting those involved to keep track of time spent, then doing the bookkeeping to aggregate damages within your organization. Many universities in the United States will frequently have hundreds or even thousands of computers compromised by a given worm or automated exploit, costing the better part of a day or more of time per computer to restore each affected computer to functionality. The total length of time to clean up all affected systems may extend to several weeks, or even months, in real time. The result is an unrecognized loss of productivity across the institution of hundreds of thousands of dollars per incident.

Figure 8.1. Incident cost table

Title

Hours

Cost/Hr

Total

15%

+15%

Incident investigator

37

$33.65

$1,245.05

$1,058.29

$1,431.81

System administrator[*]

3

$33.65

$100.95

$85.81

$116.09

Benefits @ 28%

 

$348.61

$296.32

$400.91

Subtotal (salary and benefits)

 

$1,694.61

$1,440.42

$1,948.81

Indirect costs

 

$0.00

$0.00

$0.00

Total labor cost

 

$1,694.61

$1,440.42

$1,948.81

Median cost +/ 15

 

$1,694.61

+/ $254.20

 


[*] Expected time for system reinstallation



Internet Denial of Service. Attack and Defense Mechanisms
Internet Denial of Service: Attack and Defense Mechanisms
ISBN: 0131475738
EAN: 2147483647
Year: 2003
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net